Canada

14 March 2012

The Canadian Radio-television and Telecommunications Commission (CRTC) has finalised its regulations under Canada's Anti-Spam Legislation (CASL), resulting in a set of rules that are more balanced, reasonable, and in line with the objectives of the legislation. The new requirements are also more consistent with the requirements under the U.S. CAN-SPAM Act of 2003, with which many senders are already familiar.

CASL creates rules for sending commercial electronic messages (CEMs) and installing computer programs. It also establishes a general prohibition against the alteration of transmission data and is expected to come into force later in 2012. Industry Canada is also responsible for developing regulations, and should be posting another version of its regulations within the next month or so.

The CRTC originally posted draft regulations for comment in June of 2011, which generated a significant number of responses, many of which pointed to the potential challenges for anyone sending email or other electronic messages for business purposes. With these final regulations the CRTC [PDF] has addressed a number of issues raised by stakeholders:

Consent in writing - A request for consent is no longer required to be in writing; rather, consent can be requested orally. This does not give free reign for senders to assert that they have consent without evidence, however, as anyone claiming to have consent bears the burden of proving it under the legislation.

Information to be included in a request for consent/CEM - The CRTC has dialed back the quantity of information to be included when requesting consent and in a CEM. A sender is now required to provide:

the name of the person seeking consent or sending the CEM (or the person on whose behalf consent is sought or sent, if different); (The regulations specify that a person must be identified by the name by which the person carries on business, if different from the actual name of the person).

if the message is sent on behalf of another person, a statement indicating who is or will be sending and on whose behalf the message is or will be sent;

the mailing address and either a telephone number, an email address or web address of the person sending (or on whose behalf) the message is or will be sent;

when seeking consent, a sender must indicate that the individual can withdrawal consent at any time.

The draft regulations would have required a person sending a CEM to provide every electronic address that person uses, as well as a physical, mailing and web address. Furthermore, they would have required a CEM to provide all of that information for the person sending as well as every person on whose behalf the message is sent, which would have been particularly onerous where a CEM includes content for several advertisers, such as in a newsletter (now every person must be identified by name, but other identifying information is only required for one person). Finally, the CRTC has removed the requirement for senders to indicate that a recipient could withdraw consent from any of the many forms of contact information provided to the recipient in a request for consent or CEM. Overall the changes to these provisions are very positive.

Unsubscribe mechanism - the CRTC regulations now simply state that the unsubscribe mechanism in a CEM "must be able to be readily performed". The draft regulations were more prescriptive, stating that the mechanism "must be able to be performed in no more than two clicks or another method of equivalent efficiency".

Now that the CRTC regulations have been finalized, businesses have much more information about how to design marketing campaigns that are CASL-compliant. In particular, these rules provide more of the necessary details to ensure that consent obtained now will be valid once CASL comes into force. The Industry Canada regulations may also be relevant in some circumstances; for example, where one person is seeking consent on behalf of an unknown third party.

06 January 2012

One of the important parts of Canada's new anti-spam law (CASL) is the Spam Reporting Centre. It is intended to serve multiple functions, including to help the government track the effectiveness of its anti-spam enforcement, to collect data to bring legal cases under CASL, and, with appropriate measures to protect individuals' privacy, to allow access to academic researchers.

As reported in this article at canada.com, Industry Canada asked for bids to build and operate the SRC, and is now evaluating the bids and will presumably select a winner in the near future. CAUCE assisted IC in creating the framework and bidding requirements for the SRC.

17 November 2011

It is with the heaviest of hearts that CAUCE must make note of the passing of one of our own. J.D. Falk was a founder of CAUCE, and one of the nicest people in the anti-spam community.

Besides being a board member of CAUCE U.S. since its inception in 1997, he went on to support the organization as a member of the CAUCE North America Executive. His tireless efforts helped to make CAUCE what it is today.

During his career, J.D. worked at Erols, Priori, Critical Path, MAPS, Yahoo!, Microsoft, and Return Path, but perhaps his most important contributions in fighting online abuse were to the Messaging Anti-abuse Working Group, wherein his tireless efforts organizing the MAAWG meetings were literally immeasurable.

J.D. was a prolific author, his writing published on CircleID, at his employer Return Path’s website, and in the RFC process at the Internet Engineering Task Force (IETF). His contributions went far towards making the Internet a better, safer place for us all.

J.D. was one of a kind,” said CAUCE President John Levine. “Everyone knew him, everyone trusted him, and everyone knew they could count on him to see the real issues.”

J.D. was so very well respected that a professional standards organization, the Internet Engineering Task Force, pulled out all the stops to honor him in his last days. His friends and colleagues Dave Crocker and Murray Kucherawy explain:

The IETF publishes technical specifications and related documents through a series that was started with the beginning of the Internet, called Request for Comments (RFC); the name reflects the Internet's origins as a research body more than 40 years ago.

JD had a document in the approval process (see notice below). J.D.'s document had already been approved by the IETF and it was in the last stages of document editing by the RFC staff. A small group of us asked whether they could expedite the process, more quickly than the expected two months. The IETF staff recruited a technical editor at 1:30am, her time, in New York and she completed the work by the end of the day. J.D. was shown this final draft for his approval, hours before he passed away.

Although the reason was extraordinary, this sort of willingness to help has always been at the core of this small Internet community that JD had joined, and contributed to, throughout his professional life.

J.D. died before his time from cancer. His intelligence, gravitas, good humor and considered opinions were invaluable, CAUCE, and the Internet community, are the poorer for his passing.

CAUCE extends our most heartfelt of condolences to his family and his friends.

02 October 2011

We tweeted, plussed, and re-posted this elsewhere, and at the encouragement of SURBL's Jeff Chan, here's a blog post about this practical advice. (Do read the article in its entirety)

Step 1: Document where your data is stored and how it is accessed.Step 2: Identify the level of protection your data needs. Step 3: Secure your company’s data.Step 4: Create a disaster recovery plan.Step 5: Know what to do if you experience a data breach.

C-12 is the re-tabling of bill C-29, a bill that died on the order table last year; it is a companion to C-28, Canada's Anti-spam Law; it also has provisions to allow Canadian law enforcement to share data and evidence with agencies outside of Canada, and even among themselves, something that is currently illegal under PIPEDA.

CAUCE supported C-29, and of course supports the passage of C-12. Given the Conservative majority, it is expected that C-12 will pass this legislative session.

The Coalition Against Unsolicited Commercial Email (CAUCE North America Inc.) thanks you for the opportunity to submit our comments on the draft regulations, below.

CAUCE (http://cauce.org) is an all-volunteer Internet end-user advocacy organization. CAUCE has moved beyond its original mission of advocating for anti-spam laws, to a broader stance of defending the interests all users in the areas of privacy and abuse in all its forms on the Internet.

CAUCE is led by a Board of Directors with a cumulative century of experience in the field of Internet advocacy who are active in consulting with governments, law enforcement agencies, and Industry associations.

CAUCE is a participant in many industry initiatives including the Messaging Anti-abuse Working Group (MAAWG), the Anti-phishing Working Group (APWG), the Microsoft Digital Crimes Consortium, the National Cyber-Forensics & Training Alliance (NCFTA), the U.S. National Cyber Security Alliance, the Stop Spam Alliance and the London Action Plan (LAP) and has participated in The Canadian Task Force on Spam, the U.S. Federal Communica­tions Commission (FCC) Communications Security, Reliability And Interoperability Council (CSRIC) and the Anti-spyware Coalition (ASC).

Industry Regulation : PERSONAL RELATIONSHIP AND FAMILY RELATIONSHIP

2. For the purposes of paragraph 6(5)(a) of the Act

(a) “family relationship” means the relationship between individuals who are connected by

(i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or of collateral descent from the other individual’s grandparent,

(ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,

(iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual; and

(iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual; and

(b) “personal relationship” means the relationship, other than in relation to a commercial activity, between an individual who sends the message and the individual to whom the message is sent, if they have had an in-person meeting and, within the previous two years, a two-way communication.

COMMENT: We feel that the ‘in person’ requirement is overly proscriptive; we can envision numerous instances of not having met our correspondents face-to-face in many years or ever, but yet would be on a sufficiently friendly basis to be able to fall reasonably within the context you are attempting to describe. We ask that you consider amending this to be written as “reasonably frequent 2-way non-business communications".

Industry Regulation : CONDITIONS FOR USE OF CONSENT

3. (1) For the purposes of paragraph 10(2)(b) of the Act, a person who obtained express consent on behalf of a person whose identity was unknown may authorize any person to use the consent on the condition that the person who obtained consent ensures that, in any commercial electronic message sent to the person from whom consent was obtained,

(a) the person who obtained consent is identified; and

1. (b) the authorized person provides an unsubscribe mechanism that, in addition to meeting the requirements set out in section 11 of the Act, allows the person from whom consent was obtained to withdraw their consent from the person who obtained consent or any other person who is authorized to use the consent.

(2) The person who obtained consent must ensure that, on receipt of an indication of withdrawal of consent by the authorized person who sent the commercial electronic message, that authorized person notifies the person who obtained consent that consent has been withdrawn from, as the case may be,

. (a) the person who obtained consent;

. (b) the authorized person who sent the commercial electronic message; or

. (c) any other person who is authorized to use the consent.

(3) The person who obtained consent must inform, without delay, a person referred to in paragraph 2(c) of the withdrawal of consent on receipt of notification of withdrawal of consent from that person.

(4) The person who obtained consent must give effect to a withdrawal of consent and, if applicable, ensure that a person referred to in paragraph 2(c) gives effect to the withdrawal of consent, in accordance with subsection 11(3) of the Act.

COMMENT: In our current experience, data aggregation services often sell email addresses and mobile telephone numbers (with the ability to send SMS spam) to dozens or hundreds of third parties unknown to the consumer, requiring the registrant having to unsubscribe from each mail stream individually, in effect completely losing control over the use of his or her address.

CAUCE would like to see an additional regulatory obligation to affirmatively prevent data collectors from attempts at transferring consent to any other parties. In particular we would like an explicit rule that is not possible to obtain blanket third party permission (“our carefully chosen marketing partners.”).

Data aggregators must be regulated to main­tain records of the parties to whom each address is sold or rented, to maintain an effective process so that if a recipient opts out from any of the third parties, the recipient is opted out from all of them, and these third parties must be regulated to indicate where they obtained the address in the first place, in each message. In other words, a single opt-in at the original point of collection should be readily reversible by a single opt-out.

Thank you again for allowing us the opportunity to submit these comments, and wish you success in this commentary process

07 September 2011

The CRTC (﻿Canadian Radio-television and Telecommunications Commission) is one of the agencies that will implement Canada's anti-spam law. We filed these generally supportive comments in response to their proposed regulations for the law.

11 August 2011

As you know, Facebook have a long, storied history, including several ongoing brushes with the Privacy Commissioner of Canada, and despite repeat warnings against abuse of end-user rights, they recently deployed facial recognition software with no notice given their 500,000,000 users.

Today, however was the straw that broke the camel's back. Unbeknowst to me, perhaps by way of their new 'Facebook messanger' [update: actually, by way of Facebook's iPhone app.] they have uploaded the address books of hundreds of millions of users' mobile phones.

I found the home, private, business and mobile telephone numbers of 700 friends, colleagues, co-workers, and associates (Facebook users or not) published on their site [update: on my account only - at least, for the moment, but nonetheless up on Facebook] - I never agreed to this, I never knew about this, and it was only by way of the Sophos blog post below that I discovered this.

To check to see if you have had the same unfortunate thing happened to you:

Log into Facebook

Click on Account (upper RH corner)

Click 'edit friends'

Click 'contacts' (LH side)

(There is the option to disable this feature. Turn OFF synching on your mobile phone, then go here)

(This is a non-work post, but Disclaimer: I work for Symantec and regularly talk publicly about security issues)

There’s been lots of talk today online about the latest Facebook privacy debacle whereby they have all your cell phone contacts listed on your “Contacts” page.

Facebook have been trying to quiet the storm, as people are posting to their status updates for people to disable this.

First, to combat some FUD: Facebook is not sharing this information from you with your friends. Your buddies aren’t going to be able to call up your Grandma.

But what Facebook have entirely ignored, and why this is again an issue, is the question of permission.

I have two phones. One is a work phone (BlackBerry), and one is my personal iPhone. The only phone the contacts I had listed on Facebook came from is my BlackBerry, which is good, because I have a lot of random old numbers in my iPhone (don’t ask!).

So what happened here? I believe that the latest BlackBerry Facebook app (which recently underwent a major upgrade) automatically set the preference to sync contacts with Facebook. Now it may very well have been in the multi-page user agreement that I accepted, but yes I admit, I don’t read those things. And those agreements don’t even appear on the iPhone version, because, and here’s the fundamental difference I guess: the iPhone version doesn’t transparently change your preferences.

Facebook needs to stop that. I don’t care if it’s useful, or if you’re not sharing it with anyone else. I don’t want you uploading my contacts to your servers without ASKING me first.

It’s that simple. And this is why there are laws against what they have done in various countries, and why this will probably result in yet another lawsuit against them.

Rant over.

CAUCE are stunned by this move, it is beyond the ken. We will be calling upon Facebook to remove this facility immediately (it should always bo opt-in by default, as should ALL end-user options) and failing that, filing complaints with the proper authorities.

11 July 2011

A number of bills falling under the rubric of 'lawful access' have been kicking around Canadian Parliament for about a decade now. Law enforcement agencies have been pushing for stronger powers for online surveillance and investigations since the 1990s, leading to consultations in 2002, and the introduction of Bill C-74, the Modernization of Investigative Techniques Act, by the Liberal government in 2005. In June, 2009, the Conservatives introduced Bill C-46, the Investigative Powers for the 21st Century (IP21C) Act, and Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act. The last Parliamentary session saw the introduction of a suite of three lawful access bills: C-50, 51, and 52.

Bill C-51, the Investigative Powers for the 21st Century Act, would amend the Criminal Code, the Competition Act, and the Mutual Legal Assistance in Criminal Matters Act to do several things, including: allow LEAs to apply for a production order for transmission data relating to an internet or telephone communication; enable preservation orders for communications of a specific subscriber; create new offences regarding computer viruses; establish new powers for the use of tracking devices; and, allow for the use of transmission data recorders. This bill would also make changes to existing offences of making hate propaganda available, sending a message in a false name, and sending false information, indecent remarks or "harassing" messages to broaden their application and, in some cases, increase penalties.

Bill C-52, the Investigating and Preventing Criminal Electronic Communications Act, would require telecommunications service providers to make their networks intercept-capable (similar to the U.S. Communications Assistance for Law Enforcement Act). Intercept requirements apply to transmission data and content of communications. C-52 would also compel telecommunications service providers to provide LEAs with access to data about telecommunications service subscribers (e.g., name, address, telephone number, electronic serial numbers, etc.) without a warrant under certain circumstances.

As bills C-50, 51 and 52 died when the election was called in earlier in March, it seems likely that they will be reintroduced in the Fall. CAUCE supports measures that will help the Canadian government and LEAs deal with crime conducted through the internet; however, we also encourage Parliament to engage in a thoughtful and meaningful discussion of any proposals to ensure that potential unintended consequences for internet users are minimized.

We will have more to say about these bills if and when they are reintroduced later this year.

Personal Relationship: Where an individual has met with the person to whom the message is sent in a non-business context, and where there is evidence of non-commercial communication between the individuals within the previous two years.

Family Relationship: for the purposes of the Anti-spam Legislation to be in keeping with definitions in the Income Tax Act. It also specifies that it is intended to refer to persons descending from a common grandparent, including aunts, uncles, cousins, nieces, and nephews.

Express consent under the Anti-spam Legislation means that commercial communication may not take place unless the person or corporation in question first consents to be contacted.

Implied consent means that commercial communication may take place with persons or corporations under circumstances where it can be deemed that they might be interested, but the recipients of the communication must be able to “opt out” of such communication.

The second element of the Regulations states that consent to receive messages from a third party is only valid if the individual providing consent will have the ability to unsubscribe to the message, and by the same means be able to alert the original requester that their consent is withdrawn.

The proposed Regulations define “membership” as having applied for, met the formal requirements to belong to an organization, paid any fees required to belong to an organization, and having been accepted as a member in accordance with the membership requirements of the organization.

The proposed Regulations define “club,” “association” or “voluntary organization” as a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any other purpose than profit, if no part of the income of which was payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization the primary purpose of which is the promotion of amateur athletics in Canada.

30 June 2011

As anticipated, the CRTC took a long-awaited step towards Canada's Anti-spam Law coming into force; regulations designed to help define the scope and impact of the law were published late afternoon, June 30. They are available in their full form here: http://www.crtc.gc.ca/eng/archive/2011/2011-400.htm

They are quite terse, coming in at less than 440 words. CAUCE will comment here in due course, but for your instant gratification, here they are:

The proposed regulations prescribe the form and certain information to be included in a CEM. They establish that a CEM must set out information that identifies the sender of the message and, if different, the person on whose behalf the message is sent, as well as, if applicable, the names of those persons’ businesses. The CEM is also to include information that would enable the recipient to readily contact such persons. Further, the proposed regulations prescribe that this information, as well as the unsubscribe mechanism, be set out clearly and prominently.

The proposed regulations also specify a particular form by which information relating to the sender of the message and the unsubscribe mechanism may be accessed, in circumstances where it is not practicable to include such information in a CEM, for instance, because of character limitations.

Section 6 of the Act prohibits the sending of a CEM unless there is express or implied consent from the recipient of that message. Section 7 of the Act prohibits, absent express consent, the alteration of transmission data in an electronic message which results in the message being delivered to a different destination. Section 8 of the Act prohibits the installation of a computer program unless express consent has been obtained. The Commission’s proposed regulations prescribe the form of a request for express consent for the purposes of subsections 10(1) and 10(3) of the Act. More specifically, the proposed regulations stipulate that any request for express consent must clearly identify the person seeking consent and, if different, the person on whose behalf consent is sought, and, if applicable, the names of those persons’ businesses. In addition, it is proposed that contact information be included for such persons, and further, that there be a requirement to include a statement which states that consent may be withdrawn using the contact information provided.

The focus of the final segment of the proposed regulations is the installation of computer programs in the course of a commercial activity, which, as noted above, is addressed in section 8 of the Act. The proposed provisions prescribe that additional information be provided when requesting express consent if a computer program that performs a function set out in subsection 10(5) of the Act is to be installed. In such circumstances, the proposed regulations prescribe the manner in which the computer program’s material elements must be brought to the attention of the person from whom consent is being sought, and further establish that the person seeking consent must obtain a written acknowledgement from the person from whom consent is sought that they understand and agree that the program performs the specified functions.